Rt 2.0.13 - critical fix for remote exploit

45 minutes ago, I was informed of a remotely exploitable
bug in RT 2.0’s password verification routine that can
allow remote users who have HTTP access to an RT
instance’s web interface to gain administrative
permissions. This bug affects ALL releases of RT 2.0
prior to 2.0.13.

RT 2.0.13, which resolves this issue, is immediately
available from:

http://fsck.com/pub/rt/release/rt-2-0-13.tar.gz

Aside from the security fix, this release is identical to
RT 2.0.12.

If you can not immediately upgrade your RT instance, you
MUST execute the following SQL statement to protect your
RT instance from exploitation:

update Users set Password = ‘LOCK’ where Password is null;

This SQL statement does not need to be executed if you
upgrade to RT 2.0.13.

Jesse Vincent
Best Practical Solutions, LLC

http://www.bestpractical.com/products/rt – Trouble Ticketing. Free.

rt-announce mailing list
rt-announce@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-announce